Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

Several days after Steam’s Christmas fiasco, we still don’t know exactly what happened. We don’t know how many people were affected, how much personal information leaked, or if some friendly Team Fortress players saw our addresses and plan to stop by our homes for an impromptu New Year’s celebration.

We don’t know any of this because Valve, carrying on a grand tradition of opacity, has refused to go into specifics about the fiasco last week, when Steam users across the country logged into the digital store to find that they’d somehow accessed other people’s accounts. It was a creepy, unsettling event for many PC gamers, and although there have been few reports of unauthorized purchases, Steam did expose enough personal information to fuel all sorts of social engineering. For nearly an hour, anyone with a Steam account could see random users’ e-mail addresses, phone numbers, and buying histories as well as the last four digits of their credit card numbers, which would be more than enough to steal someone’s Netflix account.

Yet other than a short statement sent to Kotaku and other press outlets last week—”This issue has since been resolved“—Valve hasn’t said a thing. They haven’t commented on how many people were affected. They haven’t contacted the Steam users whose information was exposed. Most alarmingly, they haven’t informed their 125+ million users—some of whom, sadly, do not read Kotaku—that this happened at all.

This is standard practice for Valve, of course. Their customer support has been horrendous for a long time, and their modus operandi has always been to say as little as possible, no matter how much faith they lose. And oh, they’ve lost faith. On the front page of r/steam right now, for example: “We shouldn’t be okay with the fact that Valve still haven’t apologized for the cache server fiasco.”

For the past few days, several people have contacted Kotaku about what happened to Steam. Some were worried that they’d been exposed and didn’t know about it; others suspected that the false charges on their PayPal accounts were a result of this disaster. There’s been no evidence linking the Steam Winter Fail to unauthorized payments, but even if there was, would anyone know about it?

One Steam user, who asked not to be identified in this story, found out on Christmas that other people had accessed his account. People had seen his name, his address, his phone number, his buying history. And when he contacted Steam support, they didn’t have a single useful thing to say.

It’s infuriating, frankly. Infuriating that some Steam users won’t know this happened; infuriating that others might never know whether or not they were exposed; infuriating that Valve’s customer service is still so useless and uninformative.

Most of all, it’s infuriating that Valve thinks this is okay, that they can just fire off a press statement and let the crisis blow over without even telling customers that the last four digits of their credit cards may have been inadvertently shown to the world. How can such a smart company, one that’s made such stellar, polished games and dominated the PC gaming landscape for nearly a decade now, be so stupid?